AD user authentication on vCenter fails with "Invalid Credentials" and "A vCenter Single Sign-On service error occurred"
search cancel

AD user authentication on vCenter fails with "Invalid Credentials" and "A vCenter Single Sign-On service error occurred"

book

Article ID: 402295

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Active Directory users are unable to authenticate to the vCenter Server and receive "Invalid Credentials" error messages when attempting to log in.
  • The authentication of the vSphere SSO account ([email protected]) and all other users from the vsphere.local domain will be successful. 
  • The vCenter will report "A vCenter Single Sign-On service error occurred" when navigating to Administrator > Users and Groups, as seen below: 

  • The /var/log/vmware/sso/ssoAdminServer.log will report the following warnings and error traces. 

YYYY-MM-DDTHH:MM:SSZ WARN ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: 49
YYYY-MM-DDTHH:MM:SSZ WARN ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.idm.server.ServerUtils] cannot bind connection: [ldaps://ldapserver.domain.com:636, CN=ldapservice_user,OU=ServiceAccounts,OU=ENT,DC=DOMAIN,DC=COM]
YYYY-MM-DDTHH:MM:SSZ ERROR ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.idm.server.ServerUtils] cannot establish ldap connection with URI: [ldaps://ldapserver.domain.com:636] because [Invalid credentials] therefore will not attempt to use any secondary URIs
YYYY-MM-DDTHH:MM:SSZ ERROR ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.idm.server.provider.BaseLdapProvider] com.vmware.identity.interop.ldap.InvalidCredentialsLdapException: Invalid credentials\nLDAP error [code: 49]
YYYY-MM-DDTHH:MM:SSZ ERROR ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.idm.server.IdentityManager] Failed to find group [groupname.domain.com] for tenant [vsphere.local]
YYYY-MM-DDTHH:MM:SSZ ERROR ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.interop.ldap.InvalidCredentialsLdapException: Invalid credentials\nLDAP error [code: 49]'
com.vmware.identity.interop.ldap.InvalidCredentialsLdapException: Invalid credentials

2025-05-22T03:45:08.030Z ERROR ssoAdminServer[803:pool-2-thread-24] [OpId=6afa2e35-42e8-4cf2-a3b9-36b1f1c656e9] [com.vmware.identity.idm.server.ServerUtils] Caught an unexpected exception

Environment

vCenter 7.x
vCenter 8.x

Cause

The vCenter authentication failure was caused by an expired LDAP service account password, which prevented the connection to Active Directory. 

Resolution

To resolve this issue: 

  • Reset the service Account password on the Active Directory side.  
  • On the vCenter, re-establish the LDAP/s connection with the new password for the service account.
    • Administration --> Users and Groups --> Configuration --> Identity Provider --> Click on the LDAP configuration and Edit.
    • Input the service user's new password and click Add as shown below: 
      • Note: If LDAPs is used, it is a mandatory requirement to add the LDAP server certificate(s). 

 

Powered by Wolken Software